Special issue | Security and Privacy Issues in Cloud Computing

Vol. 72, n° 5-6, May-June 2017
Content available on Springerlink

Guest editors

Haider Abbas, National University of Sciences and Technology, Pakistan;
Florida Institute of Technology, United States
Olaf Maennel
, Tallin University of Technology, Estonia
Saïd Assar
, Télécom Ecole de Management, France


Security and Privacy Issues in Cloud Computing

Haider Abbas, Olaf Maennel, Saïd Assar


Service resizing for quick DDoS mitigation in cloud computing environment

Gaurav Somani1,2, Manoj Singh Gaur2,  Dheeraj Sanghi3, Mauro Conti4, Rajkumar Buyya5

(1) Central University of Rajasthan, India
(2) Malaviya National Institute of Technology, India
(3) Indian Institute of Technology, India
(4) University of Padua, Italy
(5) The University of Melbourne, Australia

Abstract Current trends in distributed denial of service (DDoS) attacks show variations in terms of attack motivation, planning, infrastructure, and scale. “DDoS-for-Hire” and “DDoS mitigation as a Service” are the two services, which are available to attackers and victims, respectively. In this work, we provide a fundamental difference between a “regular” DDoS attack and an “extreme” DDoS attack. We conduct DDoS attacks on cloud services, where having the same attack features, two different services show completely different consequences, due to the difference in the resource utilization per request. We study various aspects of these attacks and find out that the DDoS mitigation service’s performance is dependent on two factors. One factor is related to the severity of the “resource-race” with the victim web-service. Second factor is “attack cooling down period” which is the time taken to bring the service availability post detection of the attack. Utilizing these two important factors, we propose a supporting framework for the DDoS mitigation services, by assisting in reducing the attack mitigation time and the overall downtime. This novel framework comprises of an affinity-based victim-service resizing algorithm to provide performance isolation, and a TCP tuning technique to quickly free the attack connections, hence minimizing the attack cooling down period. We evaluate the proposed novel techniques with real attack instances and compare various attack metrics. Results show a significant improvement to the performance of DDoS mitigation service, providing quick attack mitigation. The presence of proposed DDoS mitigation support framework demonstrated a major reduction of more than 50% in the service downtime.

Keywords Cloud computing, Distributed denial of service attack (DDoS), Economic denial of service attack (EDoS), Security and protection


An empirical study on acceptance of secure healthcare service in Malaysia, Pakistan, and Saudi Arabia: a mobile cloud computing perspective

Rooh ul Amin1, Irum Inayat2, Basit Shahzad3, Kashif Saleem4, Li Aijun5

(1) Departement of Control & Information Engineering, Northwestern Polytechnical University, China
(2) Departement of Computer Science, FAST University of Computer and Emerging Sciences, Pakistan
(3) College of Computer and Information Science, Saudi Arabia
(4) Center of Excellence in Information Assurance (CoEIA), Saudi Arabia
(5) School of Automation, Northwestern Polytechnical University, China

Abstract The advent of information and communication technology in healthcare sector has taken the world to a new pervasive horizon. Cloud computing is a ubiquitous way of information and data transfer. Implementation of cloud computing in daily healthcare operations can bring numerous benefits. However, there is a resistance towards the usage of this modern technology by healthcare organizations and staff due to lack of IT exposure, resources, infrastructure, patient data privacy, and security issues. Therefore, there is a need to provide an empirical evidence on how healthcare industry is responding to this new technology and to point out the factors that hinder its implementation in healthcare sector. In this paper, we aim to conduct an empirical study to investigate the behavioural intention of healthcare organizations’ staff, towards the usage of cloud-based healthcare services to carry out their daily jobs. We used unified theory of acceptance and use of technology (UTAUT) as a theoretical basis to test the predictors i.e. performance expectancy, effort expectancy, facilitating conditions, and social influence in order to find the behavioural intention of the healthcare organizations’ staff. Age, experience, and gender were also studied as moderators to investigate their effect on the behavioural intention of the user. An online questionnaire-based survey was conducted with 147 healthcare professionals in Malaysia, Pakistan, and Saudi Arabia. The results showed that social influence was the least influencing predictor in determining the dependent variable and the years of experience positively influenced user’s behavioural intentions towards using cloud-based healthcare services.

Keywords Cloud computing, Cloud-based health services, Acceptance, Security and privacy, Mobile cloud computing, Empirical study


Securing wireless sensor networks for improved performance in cloud-based environments

Ashfaq Hussain Farooqi1, Farrukh Aslam Khan1,2,

(1) National University of Computer and Emerging Sciences, Pakistan
(2) King Saud University, Saudi Arabia

Abstract Cloud computing has a great potential to assist in storing and processing data collected from sensors placed in any environment such as smart homes, vehicles, hospitals, enemy surveillance areas, volcanoes, oceans, etc. The sensors may be implanted in the form of a body sensor network or placed in the surroundings. The data recorded by these sensors may further be used for several applications implemented in the cloud as well as other services. Here, the data is acquired from sensors through the wireless medium. Recent studies show that wireless sensor networks (WSNs) are vulnerable to various kinds of security threats and there is a requirement of a security solution that safeguards them from lethal attacks. In this paper, we modify the low-energy adaptive clustering hierarchy (LEACH) protocol for WSNs and add the functionality of intrusion detection to secure WSNs from sinkhole, black hole, and selective forwarding attacks. The modified protocol is called LEACH++. We perform two types of analyses: numerical analysis to check the effect on throughput and energy, and simulations in Network Simulator-2 (NS-2) to prove the results found from the numerical analysis. The results are quite promising and favor LEACH++ over LEACH under attack with respect to throughput and energy consumption.

Keywords Wireless sensor networks (WSNs), Cloud computing, Intrusion detection system (IDS), Low-energy adaptive clustering hierarchy (LEACH) protocol


Attacks and countermeasures in the internet of vehicles

Yunchuan Sun1,2, Lei Wu3, Shizhong Wu1, Shoupeng Li1, Tao Zhang1, Li Zhang1, Junfeng Xu1, Yongping Xiong4, Xuegang Cui2

(1) China Information Technology Security Evaluation Center, China
(2) Business School, Beijing Normal University, China
(3) College of Information Science & Technology, Beijing Normal University, China
(4) State Key Laboratory of Networking & Switching Technical, Beijing University of Posts & Telecommunications, China

Abstract As a typical application of Internet of Things (IoT) in the field of transportation, Internet of Vehicles (IoV) aims at achieving an integrated intelligent transportation system to enhance traffics efficiency, avoid accidents, ensure road safety, and improve driving experiences by using new IoT technologies. Different from other Internet, it is characterized by dynamic topological structures, huge network scale, non-uniform distribution of nodes, and mobile limitation. Due to these characteristics, IoV systems face various types of attacks, such as authentication and identification attacks, availability attacks, confidentiality attacks, routing attacks, data authenticity attacks, etc., which result in several challenging requirements in security and privacy. Many security scientists made numerous efforts to ensure the security and privacy for the Internet of Vehicles in recent years. This paper aims to review the advances on issues of security and privacy in IoV, including security and privacy requirements, attack types, and the relevant solutions, and discuss challenges and future trends in this area.

Keywords Internet of vehicle, Security, Privacy Countermeasure, Cloud computing


Modeling network traffic for traffic matrix estimation and anomaly detection based on Bayesian network in cloud computing networks

Laisen Nie1, Dingde JiangKhan1,Zhihan Lv2

(1) School of Computer Science and Engineering, Northeastern University, China
(2) Departement of Computer science, university College London, UK

Abstract With the rapid development of a cloud computing network, the network security has been a terrible problem when it provides much more services and applications. Network traffic modeling and analysis is significantly crucial to detect some lawless activities such as DDoS, virus and worms, and so on. Meanwhile, it is a common approach for acquiring a traffic matrix, which can be used by network operators to carry out network management and planning. Although a great number of methods have been proposed to model and analyze the network traffic, it is still a remarkable challenge since the network traffic characterization has been tremendously changed, in particular, for a cloud computing network. Motivated by that, we analyze and model the statistical features of network traffic based on the Bayesian network in this paper. Furthermore, we propose an accurate network traffic estimation approach and an efficient anomaly detection approach, respectively. In detail, we design a Bayesian network structure to model the causal relationships between network traffic entries. Based on this Bayesian network model, we obtain a joint probability distribution of network traffic by the maximum a posteriori approach. Then, we estimate the network traffic in terms of a regularized optimization model. Meanwhile, we also perform anomaly detection based on the proposed Bayesian network structure. We finally discuss the effectiveness of the proposed method for traffic matrix estimation and anomaly detection by applying it to the Abilene and GÉANT networks.

Keywords Cloud computing network, Network traffic modeling, Traffic matrix estimation, Anomaly detection, Bayesian network, Maximum a posteriori, Regularized optimization model


EACF: extensible access control framework for cloud environments

Faria Mehak1, Rahat Masood2, Muhammad Awais Shibli3, Islam Elgedway4

(1) School of Electrical Engineering and Computer Science (SEECS), National University of Sciences and Technology (NUST), Pakistan
(2) School of Electrical Engineering and Telecommunications (EE&T), University of New South Wales (UNSW), Australia
(3) VisionIT, MI, USA
(4) Middle East Technical University (METU), Northern Cyprus Campus, Turkey

Abstract The dynamic authorization and continuous monitoring of resource usage in cloud environments is a challenge. Moreover, the extant access control techniques are not well-suited for all types of the cloud-hosted applications predominantly for two reasons. Firstly, these techniques lack in providing features such as generality, extensibility, and flexibility. Secondly, they are static in nature, such that once the user is authorized, they do not evaluate the access request during and after the resource usage. Every application hosted in the cloud has its own requirement of evaluating access request; some applications require request evaluation before assigning resources, while some require continuous monitoring of resource usage along with a dynamic update of attribute values. To address these diverse requirements, we present an Extensible Access Control Framework (EACF) for cloud-based applications, which provides high-level extensibility by incorporating different access control models about the needs of the Cloud service consumers (organizations). A number of access control models are combined in the EACF, which provides reliable authorization service for managing and controlling access to the software as a service-hosted cloud applications.It also helps cloud consumers to provide authorized access to resources (data), as well as contributes to eliminate the need to write customized security code for individual applications. As a case study, three access control models are incorporated into the framework and tested on SaaS-hosted application DSpace to ascertain that the proposed features are functional and working fine.

Keywords Software-as-a-service, Access control-as-a-service, Authorization, Cloud computing, Extensible access control markup language, Fine-grained access control, Usage-based access control, Attribute-based access control


Security and management framework for an organization operating in cloud environment

Nasir Raza, Imran Rashid, Fazeel Ali Awan

National University of Sciences and Technology, Pakistan

Abstract Cloud computing has attained tremendous popularity recently, leading to its fast and rapid deployment. However, privacy and security concerns have also increased in the same ratio. The adoption of cloud model has revealed new dimensions of attack, demanding major reconsideration and reevaluation of traditional security mechanisms. If an organization is operating in cloud environment without adopting essential security measures, it may face catastrophic consequences including loss of valuable data, financial damages, or reputation loss etc. Any organization in cloud architecture faces severe security threats and challenges for which a comprehensive security framework is needed. Certain frameworks exist in literature which focus deeply on specific cloud security issues; however, there is a dire need of comprehensive framework encompassing both security-related and management-related issues. This paper initially reviews security challenges and threats to data/applications in cloud environment. Furthermore, a comprehensive security and management framework is proposed for an organization operating in cloud environment. Proposed framework has been implemented in virtualized cloud environment to validate the efficacy of certain features of the model. The data center has been setup in virtualized environment through virtual machines on VMware ESXi-6 hypervisor layer. VMware vCloud-6 has been installed on top of it for provision of services to the users. The proposed framework is a set of guidelines that will adequately secure the organization’s data and applications. The framework incorporates a layered security architecture to achieve utmost level of security for nullifying the impact of threats.

Keywords Security framework for cloud, Security for cloud, Security and management framework for cloud, Security requirements for cloud environment


Software-defined systems support for secure cloud computing based on data classification

Yaser Jararweh1, Mahmoud Al-Ayyoub1, Lo’ai Tawalbeh1,2, Ala’ Darabseh1, Houbing Song3

(1) Jordan University of Science and Technology, Jordan
(2) Computer Engineering Department, Umm-Alqura University, Saudi Arabia
(3) West Virginia University, WV, USA

Abstract The newly emerged Software-Defined Systems (SDSs) promised to reduce computing systems management complexity. This can be achieved by separating the control plane from the data plane. On the other hand, cloud computing usage proliferation creates new challenges for managing user data efficiently. Such challenges include data ownership, data access policies, data privacy and integrity, and the availability of storage space. Using encryption-based solution is effective but very costly. Other solutions that used data classification based on the data priority can mitigate the high cost problem for data encryption. However, managing such data classification systems is very complex. In this paper, we are introducing a Software-Defined System-based solution for deploying efficient data classification framework. Our results show the superiority of the proposed model.

Keywords Software-defined system, Efficient Confidentiality-based Cloud Storage Framework (ECCSF), SHA-2


IT governance and risk mitigation approach for private cloud adoption: case study of provincial healthcare provider

Ayo Gbadeyan, Sergey Butakov, Shaun Aghili

Department of IS Security and Assurance Management, Concordia University of Edmonton, Canada

Abstract Cloud computing (CC) has the potential to provide significant benefits to healthcare organizations; however, its susceptibility to security and privacy apprehensions needs to be addressed before its adoption. It is important to evaluate the risks that arise from CC prior to its adoption in healthcare projects. Failure to evaluate security and privacy concerns could result in regulatory penalties, reputation loss, financial issues, and public loss of confidence in the healthcare provider. This paper uses Alberta’s Privacy Impact Assessment (PIA) requirement and COBIT 5 for Risk as guidance to highlight CC risk assessment areas and presents an IT governance and risk mitigation approach useful for CC adoption in the healthcare industry. In compliance with Alberta’s Health Information Act (HIA), the risk assessment areas are analyzed based on the security triad with emphasis on the confidentiality principle where privacy is the main focus. The proposed approach presented in this paper can be utilized by healthcare providers to mitigate and continuously evaluate CC risks from an IT governance perspective. Although the case study uses Canadian regulations, similar considerations can be taken into account in other jurisdictions.

Keywords Cloud computing, Privacy Impact Assessment (PIA), Healthcare industry, Privacy, Risk, Compliance


Efficient designated server identity-based encryption with conjunctive keyword search

Yang Lu1, Gang Wang1, Jiguo Li1, Jian Shen2

(1) College of Computer and Information, Hohai University, China
(2) School of Computer and Software, Nanjing University of Information Science and Technology, China

Abstract Public key encryption with keyword search is a useful primitive that provides searchable ciphertexts for some predefined keywords. It allows a user to send a trapdoor to a storage server, which enables the latter to locate all encrypted data containing the keyword(s) encoded in the trapdoor. To remove the requirement of a secure channel between the server and the receiver in identity-based encryption with keyword search, Wu et al. proposed a designated server identity-based encryption scheme with keyword search. However, our cryptanalysis indicates that Wu et al.’s scheme fails in achieving the ciphertext indistinguishability. To overcome the security weakness in the scheme and offer the multiple-keyword search function, we put forward a designated server identity-based encryption scheme with conjunctive keyword search. In the random oracle model, we formally prove that the proposed scheme satisfies the ciphertext indistinguishability, the trapdoor indistinguishability and the off-line keyword-guessing attack security. Comparison analysis shows that it is efficient and practical.

Keywords Identity-based encryption, Conjunctive keyword search, Designated server, Random oracle model


The three-dimensional model for dependability integration in cloud computing

Wiem Abderrahim, Zied Choukair

Higher School of Communications of Tunis, Mediatron Laboratory, Tunisia

Abstract Dependability is one of the highly crucial issues in cloud computing environments given the serious impact of failures on user experience. Cloud computing is a complex system based on virtualization and large scalability, which makes it a frequent place for failure. In order to fight against failures in a cloud, we assure dependability differently from the common way where the focus of fault management is on the Infrastructure as a Service and on the cloud provider side only. We propose a model that integrates dependability with respect to three dimensions according to The Open Group Architecture Framework principles. These dimensions involve various cloud actors (consumer, provider, and broker). They take into consideration the interdependency between the cloud service models (Infrastructure as a Service, Platform as a Service, and Software as a Service) and the different architecture levels (contextual, design, logical, procedural, and operations). DMD proves an enhancement of dependability attributes compared to classically designed and executed cloud systems.

Keywords Cloud, Provider, Consumer, Broker, Dependability, Fault management, Infrastructure as a Service, Platform, Software